I know this sounds terrible, but I have a web app that has no users in the Philippines, but is constantly bombarded by spammers, carders testing cards, and other BS from there. I can see in the logs that they have ips in the Philippines and are initially finding my site via google.ph or other .ph sites.

I have pretty good filters and security checks in place, so they don't really cause much damage, but nonetheless, I'm really getting tired of it. They use up bandwidth, fill up my database, abuse logs, and security logs with crap, waste my time terming accounts, etc.

I know 99.999999999999999999999999999999% of Philippine citizens aren't spammers, and I can't just block every country that annoys me, but at this point, I think it's time to just kiss the Philippines good-by.

I know they can then spoof, but at least I can make them work for it a bit.

I know there are a few geoip services out there. Anyone know of any free or inexpensive services? Or any other way to filter out traffic from a specific country?

I'm running PHP on Apache 2.

Edit:

Regarding some of the answers:

Like I said, I have very good automatic security in place, I know people can come from other places, and I know that people in PH can spoof (though the ones that I am having problems with, may not be that technically able - they use desktop auto-browsing software and/or cheap data entry labor, as far as I can tell).

I'm also aware of the fact that I can't just block every country that annoys me.

However, PH gives me no benefit whatsoever. I have never made a dollar from there, but they have originated 85% of my problems over the last three years, and are nothing but a huge wasting time-suck for me.

I know blocking countries is not a great practice, and has many problems, but for this country, I will make an exception.

If you feel like telling me what a bad idea this is, please feel free to do so, but also consider that things change, I can always un-block later, and just because I block the one country as part of my overall security scheme, doesn't mean I have to block other countries later. Be a little flexible in your thinking...

There'd need to be 1,000,000,000,000,000,000,000,000,000,000 people in the Philippines and only one spammer for that % to be true. :-p
–
ceejayozJun 8 '09 at 20:37

Ok, ok, I meant to say that I know 12% of people in the Philippines aren't spammers, and I really don't need business from either of them... =o)
–
EliJun 8 '09 at 20:42

1

The Philippines is one of the major English-speaking countries in the world, next to the US, the UK, Canada, and Australia. I'd strongly suggest not banning them, any more than you would ban Australia. Unless of course, your site is country-specific. But if it is, it should have a country-specific TLD, rather than a dot-com, then people would know you don't deal with them, and could go to similarname.com, which does.
–
Lee BNov 8 '09 at 9:43

Unlike most of the other posters here, I'm not going to tell you this is a bad idea, that you shouldn't do it, that it won't solve your problem, or that you should do something else. Here's what happened to us:

Individuals from China and Korea (or using proxies in China and Korea, anyway) kept annoying us. Portscanning, crawling our websites looking for vulnerabilities, making login attempts, etc. I tried to ignore them (fail2ban takes care of them usually) but at some points they were hitting us so hard that it effectively turned into a DoS attack. When you have hundreds of connections at once from people trying to use your webserver as a proxy, trying to SSH into your machine, trying random usernames and passwords, it tends to weigh on the site. I eventually got fed up.

We don't get any legitimate traffic from China or Korea; our company doesn't sell there (we're e-commerce) so there was no risk of losing legitimate traffic, so I figured it was easier to block them ahead of time instead of waiting for them to be dicks.

Note 3: We use a nethash because all of our ranges are stored as CIDR blocks. If you don't want to convert them to CIDR, you can use an iptreemap instead, but I imagine that might be less efficient if you're getting a lot of traffic.

The point I want to make is that the idea of blocking a country like China or Korea or anywhere for that matter isn't just blocking out a bunch of people that speak a different language than you. I'm a United States citizen and if I wanted to purchase something from your company you lost me as a customer because I'm serving in South Korea. So yea, there is legitimate traffic there.
–
GNUixJun 10 '09 at 3:04

4

Right, except that since we don't ship to South Korea, we can't sell you anything anyway, so there's no point in you going on our website. We'd never had anyone from China or Korea buy anything and ship it to the US either, so the number of sales lost might possibly hit ten in a year based on our analysis.
–
Dan UdeyJun 12 '09 at 1:28

Obviously not. You don't just create a teetering monstrosity of special cases, that's enormously fragile and a recipe for disaster. You also don't just patch TODAY'S symptom of the underlying problem.

Instead, figure out the root cause, and fix that. This is far more robust than any hacky special-case patch you could implement.

Why is your web app vulnerable to spam? What characteristics make it vulnerable? What characteristics make it a valuable target? Are there ways you can change those characteristics to make your app more robust against spam and less of a tempting target? Almost certainly the answer to these questions is yes. Add validation chains to your forms, use a captcha intelligently, randomize urls and/or parameter names to make them unfriendly to bots. There are millions of ways to approach this problem, I'm sorry to say you have chosen one of the least valuable, least useful, and most fragile solutions out there.

crashmstr: I would think so. Taking this type of action to try and block off entire countries is only going to cause you to cut off more potential users than you are cutting off potential spammers. And when the spammers start coming from areas that you don't want to block (like your own country), you're going to be in deep doodoo because all your previous methods will have been a waste.
–
TheTXIJun 8 '09 at 20:36

I agree... I know this is off topic, but since he said the traffic is coming via google.ph... is there a way to stop showing results on google.ph only?
–
ZacharyJun 8 '09 at 20:42

As others have far more eloquently put, blocking a specific country doesn't fix the problem , it just defers it slightly. Also, when users from that country see you've blocked them specifically, it will only motivate them to cause you more problems.

That said, if you really want to do this, IPinfoDB provide a free IP geolocation database,

You should use products like fail2ban to key off errors you throw in your web application indicating a spamming attempt is underway. This will block the IP for a period of time, making your site resistant, but not blanket blocking entire IP blocks.

As I said in the post, which appearance nobody read, I have a perfectly fine system of blocking and preventing spam. I am looking to lighten the workload it has to do, and the time I have to spend monitoring it.
–
EliJun 9 '09 at 18:37

Which is why I suggested fail2ban. It automatically bans problem IPs for you without brute force blocking large IP blocks.
–
Kevin KuphalJun 9 '09 at 19:06

GeoIPing is the worst idea ever thunked up. GeoIP is the reason I can't watch my Hulu TV shows, get my federally guaranteed annual credit report, or a host of other things... because I'm serving overseas.. blocking traffic from an entire country should be considered extremism

That being said a I would opt for a Snort + OSSEC solution that could maintain something like this dynamically.

Did you consider finding who is operating the networks you are being attacked from ? Find the "abuse" contact using whois and report to them. Of course it may come from several networks, but it also may worth it if you see some recurring addresses / network blocks.

If you've ever tried to deal with ISPs in Asia (especially China, Korea, etc), you'll find that the one thing they never do is care about some foreigners complaining about something. It's not worth their time to do things properly so they don't. Reporting abuse becomes a waste of your time.
–
Dan UdeyJun 10 '09 at 1:17

I'm based in Korea and I have had nothing but a pleasant experience with Korean ISPs.
–
GNUixJun 10 '09 at 3:01

You have every right to block IP addresses from whatever reason you can justify for yourself. It is you that provides a service and it is you who decides who can have it or not.
It is perhaps questionable if this is moral but that is something you can only decide for yourself.

However blocking an IP segment because it has some geographic aspects to it sounds to me a more or less like a panic approach.

What I have done in the past is having a crawler going through my most recent logs and based on that ban individual IP's that are annoying for a period of 24 hours. If that specific IP is misbehaving again it is banned for 2 days, then 3 days, etc. etc. you get the drift.

IP's that are banned for more then a week will be mailed to me and I send an abuse mail to that service provider (who know it might even help).

My company serves US citizens only. I would think you would be asking us to block all traffic outside the US in order to guard your data. Less surface area is less surface area no matter how you slice it with different knives. -- and to those with an APO address, you don't use our service, it isnt an issue.